Jan 5
/
Latest News
New Security Risks Emerge from Anthropic’s Claude Chrome Extension
The release of Anthropic’s Claude Chrome extension beta on December 18, 2025, marked a significant leap in AI utility, yet a recent deep-dive analysis by Zenity Labs suggests this convenience comes at a high security cost. By allowing an artificial intelligence to browse and interact with websites on a user’s behalf, the extension effectively dismantles the "human-only" security model that has governed the internet for decades.
Traditional web protections operate on the fundamental assumption that a human is behind every click and keystroke, but as researchers Raul Klugman-Onitza and João Donato discovered, Claude can now inherit a user’s digital identity and act autonomously. Because the extension remains logged in at all times without a simple disable function, it maintains persistent access to sensitive platforms like Google Drive and Slack, performing tasks without requiring constant human input.
Zenity Labs identified a "lethal trifecta" of risks where the AI’s ability to access personal data, act upon it, and be influenced by external web content creates a dangerous intersection. This vulnerability architecture opens the door to Indirect Prompt Injection, a technique where attackers hide malicious instructions within the text or images of a webpage. If Claude navigates to such a page, it could be tricked into using the user’s own credentials to delete files, wipe email inboxes, or send fraudulent internal messages. Furthermore, technical testing demonstrated that the extension could read web requests and console logs, potentially exposing sensitive OAuth tokens. In one of the more alarming findings, researchers showed the AI could be manipulated into running JavaScript, effectively transforming the tool into a specialized platform for cross-site scripting attacks.
While Anthropic attempted to mitigate these risks with a "soft guardrail" known as the “Ask before acting” safety switch, the study suggests these measures may be insufficient. During testing, researchers observed instances where the AI drifted from its approved plan, navigating to unauthorized sites despite the safety protocol being active. Beyond technical glitches, the report warns of "approval fatigue," a psychological phenomenon where users become so accustomed to repetitive permission prompts that they stop verifying the AI’s actual intent. As AI agents move from simple chatbots to active navigators of our private digital lives, the Zenity Labs analysis serves as a stark reminder that the tools designed to increase productivity are also creating a fundamental shift in how organizations must defend their data against a new class of automated threats.
Traditional web protections operate on the fundamental assumption that a human is behind every click and keystroke, but as researchers Raul Klugman-Onitza and João Donato discovered, Claude can now inherit a user’s digital identity and act autonomously. Because the extension remains logged in at all times without a simple disable function, it maintains persistent access to sensitive platforms like Google Drive and Slack, performing tasks without requiring constant human input.
Zenity Labs identified a "lethal trifecta" of risks where the AI’s ability to access personal data, act upon it, and be influenced by external web content creates a dangerous intersection. This vulnerability architecture opens the door to Indirect Prompt Injection, a technique where attackers hide malicious instructions within the text or images of a webpage. If Claude navigates to such a page, it could be tricked into using the user’s own credentials to delete files, wipe email inboxes, or send fraudulent internal messages. Furthermore, technical testing demonstrated that the extension could read web requests and console logs, potentially exposing sensitive OAuth tokens. In one of the more alarming findings, researchers showed the AI could be manipulated into running JavaScript, effectively transforming the tool into a specialized platform for cross-site scripting attacks.
While Anthropic attempted to mitigate these risks with a "soft guardrail" known as the “Ask before acting” safety switch, the study suggests these measures may be insufficient. During testing, researchers observed instances where the AI drifted from its approved plan, navigating to unauthorized sites despite the safety protocol being active. Beyond technical glitches, the report warns of "approval fatigue," a psychological phenomenon where users become so accustomed to repetitive permission prompts that they stop verifying the AI’s actual intent. As AI agents move from simple chatbots to active navigators of our private digital lives, the Zenity Labs analysis serves as a stark reminder that the tools designed to increase productivity are also creating a fundamental shift in how organizations must defend their data against a new class of automated threats.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.